1. Technological Field
This technical disclosure pertains generally to protecting information on Internet servers against remote data theft, and more particularly to adding data theft control hardware providing one physically separate unprivileged channel to access an underlying database in a limited way and one physically separate privileged channel to access it in an unlimited way.
2. Background Discussion
Security on the Internet represents a tradeoff between cost and functionality. With infinite resources, it may be theoretically possible to maintain, check, and audit servers such that they have no vulnerabilities and prevent all unauthorized intrusions. The practical problem is offering computer security solutions that are both sufficiently simple and cost effective for wide deployment, while offering enough functionality to accomplish the needed level of security even in the presence of malicious intruders.
Obtaining this level of security at a practical cost level has been an elusive goal. Existing common security solutions for servers on the Internet are typically quite complex. The most typical of these solutions are based on username-password authentication, and may include two-factor authentication and/or data encryption. Yet, these mechanisms are also typically executing on the server that needs to be secured in the first place. Thus, if a sophisticated remote intruder manages to obtain full access to the server, then the intruder can proceed to shut down sentries, if any, obtain all data to which the server administrative root account (“superuser”) itself has access to, and intercept and/or or trick the system administrator into divulging information. It should be appreciated that a “system administrator” often refers to a physical person who can relocate the device, operate the privileged channel, or a combination thereof. However, in the above sentence and largely through the text below, this term generally refers to the superuser of the Internet connected server. Therefore, even if some of the stored data is encrypted, a (remote) intruder who can masquerade as the server superuser can often still intercept encryption passwords and/or download both many system and encrypted files, and then investigate them on a different computer at their leisure and without limits.
The difficulty of achieving and maintaining secure computer systems at reasonable cost has been demonstrated by recent highly publicized massive-scale server compromises, such as those perpetrated at Target, eBay, PF Changs, JP Morgan and others. It is notable that PF Changs even returned to the use of credit card imprinting to avoid the possibility of computer storage being compromised. Even if careful curation of servers and their attached computer networks may have prevented these break-ins in the first place, such efforts apparently had too high a cost or human overhead to maintain, despite these entities being large corporations with ample information technology (IT) resources and sophisticated administrators. It is not surprising then that these problems are especially poignant at smaller companies, in which ordinary system administrators are often overwhelmed by the necessity of constant vigilance, maintenance, and security. A secure system at one moment in time can easily become compromised when a new vendor release or bug fix is made available, or when new user functionality is implemented, or simply because security walls were inadvertently opened for even a brief period. Security is only as good as the weakest link.
The security dilemma in modern systems is made all the more difficult by the complexity of modern operating systems. The typical Microsoft Windows, Apple OSX, or Linux operating systems contain between 50 million (Windows Server 2003) and 400 million (Debian 7) lines of code. Recent Linux kernels alone already consist of about 16 million lines of code in about 16,000 files. However, complexity is just one of many contributing factors, as even programs with short source code (especially security-related complex and “clever” code), is not immune from coding errors that can compromise existing well-maintained servers, as recently shown by the “heart-bleed” bug. There is wide agreement that high complexity is a significant contributing factor to computer vulnerability. Ultimately, a robust security solution is only possible with reasonably low complexity. It has to be simple, or it is likely to fail eventually.
Encryption is often used to help address the problem, but this provides a poor solution for at least two reasons. First, the hacker may intercept the encryption keys. Second, the owners may forget the encryption keys and thereby lose access to their own records.
In view of the above, what is needed is a mechanism to prevent wholesale data theft over the Internet by remote attackers that is economically practical, low in complexity, and simple to maintain even by relatively unsophisticated server administrators.
Accordingly, the present disclosure describes a system which overcomes the shortcomings of these prior approaches for securing an Internet accessed database which can be practically implemented at a low cost and complexity.